AWS SAP-C02教程6--安全_aws sap c02题库(1)

• 有AWS管理密钥，因此安全度高
• AWS KMS 与大多数用于加密数据的其他 AWS 服务集成

例题：A company needs to move its write-intensive Amazon RDS for PostgreSQL database from the eu-west-1 Region to the eu-north-1 Region. As part of the migration, the company needs to change from Amazon RDS for PostgreSQL to Amazon Aurora PostgreSQL.
The company is using a new AWS account to host a new Aurora PostgreSQL DB cluster. The RDS database is encrypted with an AWS managed AWS Key Management Service (AWS KMS) key. There must be no interruption to applications that use the RDS for PostgreSQL DB instance.
Which solution will meet these requirements?
A. Create VPC peering between the VPCs in both accounts. Take a snapshot of the RDS DB instance. Export the snapshot to Amazon S3. Create an S3 gateway endpoint. Use the S3 sync command for ongoing synchronization of data. Restore the snapshot from Amazon S3 in the Aurora account. Migrate the snapshot to the Aurora DB cluster.
B. Create VPC peering between the VPCs in both accounts. Import the AWS managed KMS key to the Aurora account. Take a snapshot of the RDS DB instance. Share the snapshot with the Aurora account. Copy the shared snapshot to eu-north-1 in the Aurora account. Migrate the shared snapshot to the Aurora DB cluster. Use AWS Database Migration Service (AWS DMS) with ongoing replication to complete the migration.
C. Create VPC peering between the VPCs in both accounts. Copy the AWS managed KMS key to the Aurora account. Create an Aurora cross-Region read replica of the RDS DB instance in the Aurora account. Promote the read replica from standby DB instance to primary DB instance.
D. Create VPC peering between the VPCs in both accounts. Create a multi-Region customer managed KMS key in the RDS account, and share the key with the Aurora account. Modify the cluster to use the customer managed KMS key. Take a snapshot of the RDS DB instance. Share the snapshot with the Aurora account. Copy the shared snapshot to eu-north-1 in the Aurora account. Migrate the shared snapshot to the Aurora DB cluster. Use AWS Database Migration Service (AWS DMS) with ongoing replication to complete the migration.
答案：D
答案解析：题目要求需要跨区域迁移PostgreSQL数据库。并且使用KMS做密钥管理。因此D选项最合适。

例题：A company is implementing a serverless architecture by using AWS Lambda functions that need to access a Microsoft SQL Server DB instance on Amazon RDS. The company has separate environments for development and production, including a clone of the database system. The company’s developers are allowed to access the credentials for the development database. However, the credentials for the production database must be encrypted with a key that only members of the IT security team’s IAM user group can access. This key must be rotated on a regular basis.
What should a solutions architect do in the production environment to meet these requirements?
A. Store the database credentials in AWS Systems Manager Parameter Store by using a SecureString parameter that is encrypted by an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the SecureString parameter. Restrict access to the SecureString parameter and the customer managed key so that only the IT security team can access the parameter and the key.
B. Encrypt the database credentials by using the AWS Key Management Service (AWS KMS) default Lambda key. Store the credentials in the environment variables of each Lambda function. Load the credentials from the environment variables in the Lambda code. Restrict access to the KMS key so that only the IT security team can access the key.
C. Store the database credentials in the environment variables of each Lambda function. Encrypt the environment variables by using an AWS Key Management Service (AWS KMS) customer managed key. Restrict access to the customer managed key so that only the IT security team can access the key.
D. Store the database credentials in AWS Secrets Manager as a secret that is associated with an AWS Key Management Service (AWS KMS) customer managed key. Attach a role to each Lambda function to provide access to the secret. Restrict access to the secret and the customer managed key so that only the IT security team can access the secret and the key.
答案：D
答案解析：题目要求IT团队的IAM用户才能访问密钥，且密钥定期轮转。密钥管理最好使用KMS，而存储可以是Parameter Store或者是Secrets Manager ，题目要求定期轮转，那么应该是Secrets Manager 。所以选择D选项

• 提供CLI或者SDK进行加密和解密
• 只能对小于4KB的内容加密
• 集成CloudTrail进行API调用审计
• 密钥可以轮转

2.2 密钥类型

KMS的密钥有3种不同类型，区别如下：（考试中出现客户托管和AWS托管的区别判别）

例题：A company has multiple business units. Each business unit has its own AWS account and runs a single website within that account. The company also has a single logging account. Logs from each business unit website are aggregated into a single Amazon S3 bucket in the logging account. The S3 bucket policy provides each business unit with access to write data into the bucket and requires data to be encrypted.
The company needs to encrypt logs uploaded into the bucket using a single AWS Key Management Service (AWS KMS) CMK. The CMK that protects the data must be rotated once every 365 days.
Which strategy is the MOST operationally efficient for the company to use to meet these requirements?
A. Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account only. Manually rotate the CMK every 365 days.
B. Create a customer managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Enable automatic rotation of the CMK.
C. Use an AWS managed CMK in the logging account. Update the CMK key policy to provide access to the logging account and business unit accounts. Manually rotate the CMK every 365 days.
D. Use an AWS managed CMK in the logging account. Update the CMK key policy to provide access to the logging account only. Enable automatic rotation of the CMK.
答案：B
答案解析&